├── core-terms
    ├── bbp-core-terms-02-scope.md
    ├── vdp-core-terms-02-scope.md
    ├── bbp-core-terms-04-rewards.md
    ├── bbp-core-terms-07-official-channels.md
    ├── vdp-core-terms-06-official-channels.md
    ├── vdp-core-terms-03-out-of-scope.md
    ├── bbp-core-terms-03-out-of-scope.md
    ├── bbp-core-terms-01-introduction.md
    ├── vdp-core-terms-01-introduction.md
    ├── bbp-core-terms-05-our-commitments.md
    ├── vdp-core-terms-04-our-commitments.md
    ├── vdp-core-terms-05-our-expectations.md
    ├── bbp-core-terms-06-our-expectations.md
    ├── bbp-core-terms-08-safe-harbor.md
    └── vdp-core-terms-07-safe-harbor.md
├── simple-safeharbor
    └── simple-safe-harbor.md
├── regional
    ├── BEL-core-terms.md
    ├── NLD-core-terms.md
    ├── USA-core-terms.md
    ├── AUS-core-terms-draft.md
    ├── GBR-core-terms-draft.md
    ├── NZD-core-terms-draft.md
    └── CAN-core-terms.md
├── archive
    ├── generic-core-terms.md
    └── core-terms-US-2020-ELECTIONS.md
├── core-terms-vdp.md
├── core-terms-bbp.md
├── README.md
└── LICENSE


/core-terms/bbp-core-terms-02-scope.md:
--------------------------------------------------------------------------------
1 | ## Systems in Scope
2 | 
3 | This policy applies to any digital assets owned, operated, or maintained by {{organization}}.
4 | 


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-02-scope.md:
--------------------------------------------------------------------------------
1 | ## Scope
2 | 
3 | This policy applies to any digital assets owned, operated, or maintained by {{organization}}, including public facing websites.
4 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-04-rewards.md:
--------------------------------------------------------------------------------
1 | ## Scope
2 | 
3 | This policy applies to any digital assets owned, operated, or maintained by {{organization}}, including public facing websites.
4 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-07-official-channels.md:
--------------------------------------------------------------------------------
1 | ## Official Channels 
2 | 
3 | Please use {{channel}} to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
4 | 


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-06-official-channels.md:
--------------------------------------------------------------------------------
1 | ## Official Channels 
2 | 
3 | Please use {{channel}} to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
4 | 


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-03-out-of-scope.md:
--------------------------------------------------------------------------------
1 | ## Out of Scope
2 | 
3 | - Assets or other equipment not owned by parties participating in this policy. 
4 | 
5 | Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
6 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-03-out-of-scope.md:
--------------------------------------------------------------------------------
1 | ## Out of Scope
2 | 
3 | - Assets or other equipment not owned by parties participating in this policy or not listed in "Systems In Scope."
4 | 
5 | Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. 
6 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-01-introduction.md:
--------------------------------------------------------------------------------
1 | # {{organization}} Bug Bounty Policy
2 | 
3 | ## Introduction
4 | 
5 | {{organization}} welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
6 | 


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-01-introduction.md:
--------------------------------------------------------------------------------
1 | # {{organization}} Vulnerability Disclosure Policy
2 | 
3 | ## Introduction
4 | 
5 | {{organization}} welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
6 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-05-our-commitments.md:
--------------------------------------------------------------------------------
1 | ## Our Commitments
2 | 
3 | When working with us, according to this policy, you can expect us to:
4 | 
5 | - Respond to your report promptly, and work with you to understand and validate your report;
6 | - Strive to keep you informed about the progress of a vulnerability as it is processed;
7 | - Work to remediate discovered vulnerabilities in a timely manner, within our operational contraints; and
8 | - Extend Safe Harbor for your vulnerability research that is related to this policy.
9 | 


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-04-our-commitments.md:
--------------------------------------------------------------------------------
1 | ## Our Commitments
2 | 
3 | When working with us, according to this policy, you can expect us to:
4 | 
5 | - Respond to your report promptly, and work with you to understand and validate your report;
6 | - Strive to keep you informed about the progress of a vulnerability as it is processed;
7 | - Work to remediate discovered vulnerabilities in a timely manner, within our operational contraints; and
8 | - Extend Safe Harbor for your vulnerability research that is related to this policy.
9 | 


--------------------------------------------------------------------------------
/simple-safeharbor/simple-safe-harbor.md:
--------------------------------------------------------------------------------
1 | # Simple Safe Harbor
2 | 
3 | We consider activities conducted consistent with this policy to constitute “authorized” access under anti-hacking laws. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a  claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. 
4 | 
5 | Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-05-our-expectations.md:
--------------------------------------------------------------------------------
 1 | ## Our Expectations
 2 | 
 3 | In participating in our vulnerability disclosure program in good faith, we ask that you:
 4 | 
 5 | - Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
 6 | - Report any vulnerability you’ve discovered promptly;
 7 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
 8 | - Use only the Official Channels to discuss vulnerability information with us;
 9 | - Provide us a reasonable amount of time (at least {{disclosure_window}} from the initial report) to resolve the issue before you disclose it publicly;
10 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
11 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
12 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
13 | - Do not engage in extortion.
14 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-06-our-expectations.md:
--------------------------------------------------------------------------------
 1 | ## Our Expectations
 2 | 
 3 | In participating in our vulnerability disclosure program in good faith, we ask that you:
 4 | 
 5 | - Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
 6 | - Report any vulnerability you’ve discovered promptly;
 7 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
 8 | - Use only the Official Channels to discuss vulnerability information with us;
 9 | - Provide us a reasonable amount of time (at least {{disclosure_window}} from the initial report) to resolve the issue before you disclose it publicly;
10 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
11 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
12 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
13 | - Do not engage in extortion.  
14 | 


--------------------------------------------------------------------------------
/core-terms/bbp-core-terms-08-safe-harbor.md:
--------------------------------------------------------------------------------
 1 | ## Safe Harbor
 2 | 
 3 | When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
 4 | 
 5 | - Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
 6 | - Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
 7 | - Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
 8 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
 9 | 
10 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
11 | 
12 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
13 | 
14 | > Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.
15 | 


--------------------------------------------------------------------------------
/core-terms/vdp-core-terms-07-safe-harbor.md:
--------------------------------------------------------------------------------
 1 | ## Safe Harbor
 2 | 
 3 | When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
 4 | 
 5 | - Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
 6 | - Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
 7 | - Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
 8 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
 9 | 
10 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
11 | 
12 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
13 | 
14 | > Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.
15 | 


--------------------------------------------------------------------------------
/regional/BEL-core-terms.md:
--------------------------------------------------------------------------------
 1 | # Introductie
 2 | 
 3 | Wij hechten veel belang aan cyberveiligheid, en waarderen meldingen van ethische hackers die ons helpen om onze hoge privacy- en veiligheidsnormen in stand te houden. Wij steunen ethisch onderzoek naar kwetsbaarheden en responsible disclosure.
 4 | Deze policy omschrijft wat wij zien als ethische handelingen, en wat wij beloven aan diegenen die deze richtlijnen respecteren.
 5 | 
 6 | # Wat wij beloven
 7 | 
 8 | Wij onderzoeken elke kwetsbaarheid die gemeld wordt volgens deze richtlijnen, en beantwoorden elke inzending binnen een redelijke termijn.
 9 | Wij lossen kwetsbaarheden kwetsbaarheden tijdig op.
10 | Wij erkennen alle inzendingen die nog niet eerder gemeld waren, indien ze resulteren in een aanpassing van onze code of infrastructuur.
11 | 
12 | # Valt binnen deze policy
13 | 
14 | # Uitgesloten voor deze policy
15 | 
16 | # Beloningen
17 | 
18 | # Disclosure policy
19 | 
20 | # Basisregels
21 | 
22 | Om ethisch onderzoek naar kwetsbaarheden aan te moedigen en er voor te zorgen dat ze niet als kwaadaardig gezien wordt, vragen wij:
23 | 
24 | 
25 | - De regels te respecteren. Dit omvat deze policy en andere regels die van toepassing zijn.
26 | - Kwetsbaarheden spoedig te rapporteren
27 | - Voorkom privacy-inbreuken, schade aan systemen of data of andere zaken die negatieve impact hebben op de gebruikservaring.
28 | - Gebruik enkel de officiële kanalen om mogelijke kwetsbaarheden met ons te bespreken.
29 | - Hanteer confidentiële gegevens of details die voortvloeien uit kwetsbaarheden volgens onze disclosure policy
30 | - Beperk uw tests tot de zaken die binnen de policy vallen. Het testen van zaken of systemen die expliciet buiten de policy vallen is niet toegelaten.
31 | - Indien een kwetsbaarheid onbedoelde toegang geeft tot informatie, zorg er dan voor dat u de informatie die u verwerft beperkt blijft tot het absolute minimum om het bestaan van de kwetsbaarheid aan te tonen, en stop met testen van zodra u op persoonsgegevens, gezondheidsgegevens of kredietkaart informatie van derden stuit.
32 | - Gebruik enkel uw eigen testaccounts of accounts van personen waarvan u expliciete toestemming gekregen hebt.
33 | - Het eisen van een beloning in ruil voor informatie over kwetsbaarheden, of enige andere vorm van afpersing, is verboden.
34 | 
35 | 
36 | # Veilige haven-principe
37 | 
38 | Ethisch onderzoek naar kwetsbaarheden binnen onze systemen dat de voornoemde richtlijnen respecteert, beschouwen wij als:
39 | 
40 | - Geoorloofd en gemachtigd volgens de wet op informaticacriminaliteit (waaronder informaticabedrog, valsheid in informatica, informaticasabotage & hacking). Wij zullen geen legale stappen ondernemen of steunen bij accidentele, goedbedoelde schending van deze policy.
41 | - Een toegestane afwijking op beperkingen binnen onze gebruiksvoorwaarden die in strijd zijn met deze policy.
42 | - Rechtmatig, ter goeder trouw en hulpvaardig ten opzichte van de algehele veiligheid van het internet.
43 | 
44 | Schendt tijdens uw onderzoek geen wetten waarop deze policy geen invloed heeft. Indien er door een derde partij juridische stappen tegen u worden ondernomen en u de bovenstaande richtlijnen gerespecteerd heeft, zullen wij kenbaar maken dat uw acties conform zijn volgens onze policy.
45 | 
46 | Mocht u vragen hebben of niet zeker zijn of uw onderzoek binnen onze richtlijnen valt, stel dan eerst de vraag via onze officiële kanalen, alvorens verder te gaan.
47 | 


--------------------------------------------------------------------------------
/regional/NLD-core-terms.md:
--------------------------------------------------------------------------------
 1 | # Introductie
 2 | 
 3 | Wij hechten veel belang aan cyberveiligheid, en waarderen meldingen van ethische hackers die ons helpen om onze hoge privacy- en veiligheidsnormen in stand te houden. Wij steunen ethisch onderzoek naar kwetsbaarheden en responsible disclosure.
 4 | Deze policy omschrijft wat wij zien als ethische handelingen, en wat wij beloven aan diegenen die deze richtlijnen respecteren.
 5 | 
 6 | # Wat wij beloven
 7 | 
 8 | Wij onderzoeken elke kwetsbaarheid die gemeld wordt volgens deze richtlijnen, en beantwoorden elke inzending binnen een redelijke termijn.
 9 | Wij lossen kwetsbaarheden kwetsbaarheden tijdig op.
10 | Wij erkennen alle inzendingen die nog niet eerder gemeld waren, indien ze resulteren in een aanpassing van onze code of infrastructuur.
11 | 
12 | # Valt binnen deze policy
13 | 
14 | # Uitgesloten voor deze policy
15 | 
16 | # Beloningen
17 | 
18 | # Disclosure policy
19 | 
20 | # Basisregels
21 | 
22 | Om ethisch onderzoek naar kwetsbaarheden aan te moedigen en er voor te zorgen dat ze niet als kwaadaardig gezien wordt, vragen wij:
23 | 
24 | 
25 | - De regels te respecteren. Dit omvat deze policy en andere regels die van toepassing zijn.
26 | - Kwetsbaarheden spoedig te rapporteren
27 | - Voorkom privacy-inbreuken, schade aan systemen of data of andere zaken die negatieve impact hebben op de gebruikservaring.
28 | - Gebruik enkel de officiële kanalen om mogelijke kwetsbaarheden met ons te bespreken.
29 | - Hanteer confidentiële gegevens of details die voortvloeien uit kwetsbaarheden volgens onze disclosure policy
30 | - Beperk uw tests tot de zaken die binnen de policy vallen. Het testen van zaken of systemen die expliciet buiten de policy vallen is niet toegelaten.
31 | - Indien een kwetsbaarheid onbedoelde toegang geeft tot informatie, zorg er dan voor dat u de informatie die u verwerft beperkt blijft tot het absolute minimum om het bestaan van de kwetsbaarheid aan te tonen, en stop met testen van zodra u op persoonsgegevens, gezondheidsgegevens of kredietkaart informatie van derden stuit.
32 | - Gebruik enkel uw eigen testaccounts of accounts van personen waarvan u expliciete toestemming gekregen hebt.
33 | - Het eisen van een beloning in ruil voor informatie over kwetsbaarheden, of enige andere vorm van afpersing, is verboden.
34 | 
35 | 
36 | # Veilige haven-principe
37 | 
38 | Ethisch onderzoek naar kwetsbaarheden binnen onze systemen dat de voornoemde richtlijnen respecteert, beschouwen wij als:
39 | 
40 | - Geoorloofd en gemachtigd volgens de wet op informaticacriminaliteit (waaronder informaticabedrog, valsheid in informatica, informaticasabotage & hacking). Wij zullen geen legale stappen ondernemen of steunen bij accidentele, goedbedoelde schending van deze policy.
41 | - Een toegestane afwijking op beperkingen binnen onze gebruiksvoorwaarden die in strijd zijn met deze policy.
42 | - Rechtmatig, ter goeder trouw en hulpvaardig ten opzichte van de algehele veiligheid van het internet.
43 | 
44 | Schendt tijdens uw onderzoek geen wetten waarop deze policy geen invloed heeft. Indien er door een derde partij juridische stappen tegen u worden ondernomen en u de bovenstaande richtlijnen gerespecteerd heeft, zullen wij kenbaar maken dat uw acties conform zijn volgens onze policy.
45 | 
46 | Mocht u vragen hebben of niet zeker zijn of uw onderzoek binnen onze richtlijnen valt, stel dan eerst de vraag via onze officiële kanalen, alvorens verder te gaan.
47 | 
48 | 
49 | 


--------------------------------------------------------------------------------
/regional/USA-core-terms.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Expectations
 6 | 
 7 | When working with us according to this policy, you can expect us to:
 8 | 
 9 | - Extend Safe Harbor for your vulnerability research that is related to this policy;
10 | - Work with you to understand and validate your report, including a timely initial response to the submission;
11 | - Work to remediate discovered vulnerabilities in a timely manner; and
12 | - Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
13 | 
14 | # Ground Rules
15 | 
16 | To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
17 | 
18 | - Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
19 | - Report any vulnerability you’ve discovered promptly;
20 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
21 | - Use only the Official Channels to discuss vulnerability information with us;
22 | - Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
23 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
24 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
25 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
26 | - Do not engage in extortion.
27 | 
28 | # Safe Harbor
29 | 
30 | When conducting vulnerability research according to this policy, we consider this research to be:
31 | 
32 | - Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
33 | - Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
34 | - Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
35 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
36 | 
37 | You are expected, as always, to comply with all applicable laws.
38 | 
39 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
40 | 
41 | 


--------------------------------------------------------------------------------
/archive/generic-core-terms.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Expectations
 6 | 
 7 | When working with us according to this policy, you can expect us to:
 8 | 
 9 | - Work with you to understand and validate your report, including a timely initial response to the submission;
10 | - Work to remediate discovered vulnerabilities in a timely manner; and
11 | - Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
12 | 
13 | # Scope
14 | 
15 | # Out-of-Scope
16 | 
17 | # Rewards
18 | 
19 | # Disclosure Policy
20 | 
21 | # Ground Rules
22 | 
23 | To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
24 | 
25 | - Play by the rules. This includes following this policy any other relevant agreements;
26 | - Report any vulnerability you’ve discovered promptly;
27 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
28 | - Use only the Official Channels to discuss vulnerability information with us;
29 | - Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
30 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
31 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
32 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
33 | - Do not engage in extortion.
34 | 
35 | # Safe Harbor
36 | 
37 | When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
38 | 
39 | - Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
40 | - Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
41 | - Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
42 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
43 | 
44 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 
45 | 
46 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
47 | 


--------------------------------------------------------------------------------
/regional/AUS-core-terms-draft.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Expectations
 6 | 
 7 | When working with us according to this policy, you can expect us to:
 8 | 
 9 | - Work with you to understand and validate your report, including a timely initial response to the submission;
10 | - Work to remediate discovered vulnerabilities in a timely manner; and
11 | - Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
12 | 
13 | # Scope
14 | 
15 | # Out-of-Scope
16 | 
17 | # Rewards
18 | 
19 | # Disclosure Policy
20 | 
21 | # Ground Rules
22 | 
23 | To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
24 | 
25 | - Play by the rules. This includes following this policy any other relevant agreements;
26 | - Report any vulnerability you’ve discovered promptly;
27 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
28 | - Use only the Official Channels to discuss vulnerability information with us;
29 | - Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
30 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
31 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
32 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
33 | - Do not engage in extortion.
34 | 
35 | # Safe Harbor
36 | 
37 | When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
38 | 
39 | - Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
40 | - Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
41 | - Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
42 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
43 | 
44 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 
45 | 
46 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
47 | 


--------------------------------------------------------------------------------
/regional/GBR-core-terms-draft.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Expectations
 6 | 
 7 | When working with us according to this policy, you can expect us to:
 8 | 
 9 | - Work with you to understand and validate your report, including a timely initial response to the submission;
10 | - Work to remediate discovered vulnerabilities in a timely manner; and
11 | - Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
12 | 
13 | # Scope
14 | 
15 | # Out-of-Scope
16 | 
17 | # Rewards
18 | 
19 | # Disclosure Policy
20 | 
21 | # Ground Rules
22 | 
23 | To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
24 | 
25 | - Play by the rules. This includes following this policy any other relevant agreements;
26 | - Report any vulnerability you’ve discovered promptly;
27 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
28 | - Use only the Official Channels to discuss vulnerability information with us;
29 | - Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
30 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
31 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
32 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
33 | - Do not engage in extortion.
34 | 
35 | # Safe Harbor
36 | 
37 | When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
38 | 
39 | - Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
40 | - Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
41 | - Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
42 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
43 | 
44 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 
45 | 
46 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
47 | 


--------------------------------------------------------------------------------
/regional/NZD-core-terms-draft.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | Security is core to our values, and we value the input of hackers acting in good-faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Expectations
 6 | 
 7 | When working with us according to this policy, you can expect us to:
 8 | 
 9 | - Work with you to understand and validate your report, including a timely initial response to the submission;
10 | - Work to remediate discovered vulnerabilities in a timely manner; and
11 | - Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
12 | 
13 | # Scope
14 | 
15 | # Out-of-Scope
16 | 
17 | # Rewards
18 | 
19 | # Disclosure Policy
20 | 
21 | # Ground Rules
22 | 
23 | To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
24 | 
25 | - Play by the rules. This includes following this policy any other relevant agreements;
26 | - Report any vulnerability you’ve discovered promptly;
27 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
28 | - Use only the Official Channels to discuss vulnerability information with us;
29 | - Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
30 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
31 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
32 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
33 | - Do not engage in extortion.
34 | 
35 | # Safe Harbor
36 | 
37 | When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
38 | 
39 | - Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
40 | - Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
41 | - Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
42 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
43 | 
44 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. 
45 | 
46 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
47 | 


--------------------------------------------------------------------------------
/core-terms-vdp.md:
--------------------------------------------------------------------------------
 1 | # {{organization}} Vulnerability Disclosure Policy
 2 | 
 3 | ## Introduction
 4 | 
 5 | {{organization}} welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
 6 | 
 7 | ## Systems in Scope
 8 | 
 9 | This policy applies to any digital assets owned, operated, or maintained by {{organization}}.
10 | 
11 | ## Out of Scope
12 | 
13 | - Assets or other equipment not owned by parties participating in this policy. 
14 | 
15 | Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
16 | 
17 | ## Our Commitments
18 | 
19 | When working with us, according to this policy, you can expect us to:
20 | 
21 | - Respond to your report promptly, and work with you to understand and validate your report;
22 | - Strive to keep you informed about the progress of a vulnerability as it is processed;
23 | - Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
24 | - Extend Safe Harbor for your vulnerability research that is related to this policy.
25 | 
26 | ## Our Expectations
27 | 
28 | In participating in our vulnerability disclosure program in good faith, we ask that you:
29 | 
30 | - Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
31 | - Report any vulnerability you’ve discovered promptly;
32 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
33 | - Use only the Official Channels to discuss vulnerability information with us;
34 | - Provide us a reasonable amount of time (at least {{disclosure_window}} from the initial report) to resolve the issue before you disclose it publicly;
35 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
36 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
37 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
38 | - Do not engage in extortion.  
39 | 
40 | ## Official Channels 
41 | 
42 | Please use {{channel}} to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
43 | 
44 | ## Safe Harbor
45 | 
46 | When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
47 | 
48 | - Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
49 | - Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
50 | - Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
51 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
52 | 
53 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
54 | 
55 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
56 | 
57 | > Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.


--------------------------------------------------------------------------------
/regional/CAN-core-terms.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Expectations
 6 | 
 7 | When working with us according to this policy, you can expect us to:
 8 | 
 9 | - Work with you to understand and validate your report, including a timely initial response to the submission;
10 | - Work to remediate discovered vulnerabilities in a timely manner; and
11 | - Work to develop a timely vulnerability publication schedule with you; and
12 | - Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
13 | 
14 | # Ground Rules
15 | 
16 | To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
17 | 
18 | - Play by the rules. This includes following this policy, as well as any other referenced agreements;
19 | - Report any vulnerability you’ve discovered to us promptly;
20 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
21 | - Use only the Official Channels to discuss vulnerability information with us;
22 | - Keep the details of any discovered vulnerabilities confidential until we have worked out a publication schedule, in accordance with this policy they are fixed, according to the Disclosure Policy;
23 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
24 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, including any proprietary information or data about an identifiable individual, such as financial data, or personal health information;
25 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
26 | - Do not engage in extortion.
27 | 
28 | # Safe Harbour
29 | 
30 | We consider vulnerability research that attempts, in good faith, to comply with this policy to be:
31 | 
32 | - Authorized and with colour of right and, as such, consistent with sections 429(2) and 342.1 of the Criminal Code (and/or similar state laws);
33 | - Authorized to the extent that it would otherwise interfere with any rights granted to us under the Copyright Act [RSC 1985, c C-42,][including ss 3, 15 and 41 of that act], and carried out with our consent [as envisioned by sections 30.63 and 41.15];
34 | - Exempt from any relevant restrictions in our Terms & Conditions, and we waive those restrictions to the extent they are inconsistent with this policy; and
35 | - Lawful, helpful to the overall security of the Internet, and conducted for our benefit.
36 | 
37 | This policy prevails over any other inconsistent term or agreement.
38 | 
39 | We will not initiate or support any legal action against you for any vulnerability research that is consistent with this policy, or for any accidental, good faith violations of this policy. To the extent that some of your vulnerability research falls outside of this policy (e.g. if some of your research impacts out of scope systems) this policy will continue to apply with respect to any of your activities that remain compliant with it.
40 | This policy solely operates as a safe harbour from independent potential legal obligations or liabilities. Failure to comply with this policy will disqualify you from the safe harbour it establishes, but should not be read as creating legal obligations that would not otherwise exist or extending such obligations beyond their independent scope. 
41 | You are expected, as always, to comply with all applicable laws. 
42 | 
43 | While we may change this policy from time to time, such changes will not be applied retrospectively, and the safe harbour outlined here is irrevocably extended to any vulnerability research that is carried out while this policy remains in effect.
44 | 
45 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
46 | 


--------------------------------------------------------------------------------
/core-terms-bbp.md:
--------------------------------------------------------------------------------
 1 | # {{organization}} Bug Bounty Policy
 2 | 
 3 | ## Introduction
 4 | 
 5 | {{organization}} welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
 6 | 
 7 | ## Systems in Scope
 8 | 
 9 | [INSERT LIST HERE]
10 | 
11 | This policy applies only to any digital assets owned, operated, or maintained by {{organization}} for which {{organization}} can legally authorize security testing. Any assets not listed above are out-of-scope for security testing under this policy. 
12 | 
13 | ## Out of Scope
14 | 
15 | - Assets or other equipment not owned by parties participating in this policy or not listed in "Systems In Scope."
16 | 
17 | Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. 
18 | 
19 | ## Rewards
20 | 
21 | ## Our Commitments
22 | 
23 | When working with us, according to this policy, you can expect us to:
24 | 
25 | - Respond to your report promptly, and work with you to understand and validate your report;
26 | - Strive to keep you informed about the progress of a vulnerability as it is processed;
27 | - Work to remediate discovered vulnerabilities in a timely manner, within our operational contraints; and
28 | - Extend Safe Harbor for your vulnerability research that is related to this policy.
29 | 
30 | ## Our Expectations
31 | 
32 | In participating in our vulnerability disclosure program in good faith, we ask that you:
33 | 
34 | - Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
35 | - Report any vulnerability you’ve discovered promptly;
36 | - Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
37 | - Use only the Official Channels to discuss vulnerability information with us;
38 | - Provide us a reasonable amount of time (at least {{disclosure_window}} from the initial report) to resolve the issue before you disclose it publicly;
39 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
40 | - If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
41 | - You should only interact with test accounts you own or with explicit permission from the account holder; and
42 | - Do not engage in extortion.  
43 | 
44 | ## Official Channels 
45 | 
46 | Please use {{channel}} to report security issues, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
47 | 
48 | ## Safe Harbor
49 | 
50 | When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
51 | 
52 | - Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
53 | - Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
54 | - Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
55 | - Lawful, helpful to the overall security of the Internet, and conducted in good faith.
56 | 
57 | You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
58 | 
59 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
60 | 
61 | > Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.
62 | 
63 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # The disclose.io Terms (dioterms)
 2 | 
 3 | > Note: While we've engaged the legal opinion of many, this does not constitute legal advice. Please consult your legal counsel for the specific suitability of the disclose.io terms in your organization.)
 4 | 
 5 | ### Quick Links
 6 | 
 7 | |Take me to...|Link|
 8 | |-|-|
 9 | | Create a Vulnerability Disclosure Program | [https://policymaker.disclose.io/](https://policymaker.disclose.io/) |
10 | | Learn more at the disclose.io Community Forum  | [https://community.disclose.io](https://community.disclose.io) |
11 | | Compare thousands of existing company policies  | [https://disclose.io/programs](https://disclose.io/programs)  |
12 | 
13 | ## Navigating the dioterms Repo
14 | - Core terms: The core terms are the primary documents in the repo. The language in these terms is designed to provide maximum flexibility whilst maintaining bi-lateral safety and readability, and accommodating varying legal environments for both the finder and the vendor. Note that while the [bug bounty terms](core-terms-bbp.md) are a subset of the [vulnerability disclosure policy VDP terms](/core-terms-vdp.md) with additional fields regarding rewards and scope, we've chosen to separate them to avoid ambiguity between a VDP and a bug bounty.
15 |   - [Core modules](/core-modules/): The core modules are derived from the Core terms, which are the basis for language and regional legal translation. 
16 | -  [Regionalized terms](regional): The regionalized terms have been contributed by PSIRTS, disclosure platforms, security policy advocates, and vendor program operators.
17 | -  [Archive](/archive): This folder contains deprecated or archived terms for posterity and easy reference.
18 | 
19 | ## Choosing terms 
20 | Organizations should first choose the boilerplate that is the best fit to their organization. The dioterms repo contains a number of different options:
21 | 
22 | * Core terms for [VDP](/core-terms-vdp.md) and [BBP](core-terms-bbp.md) designed to provide maximum flexibility whilst maintaining bi-lateral safety and readability,
23 | * [Regionalized terms](https://github.com/disclose/dioterms/tree/master/regional) which accommodate the laws and languages of country or jurisdiction of the organization,
24 | * [Verticalized terms](https://github.com/disclose/dioterms/tree/master/vertical) which take the nuances of different industries or use-cases (e.g. election infrastructure) into account, and
25 | * [Simple Safe Harbor](https://github.com/disclose/dioterms/tree/simple-safeharbor/simple-safe-harbor.md) which is designed to add Safe Harbor language to VDPs and bug bounty programs which are already in place.
26 | 
27 | ### About Safe Harbor
28 | 
29 | The core requirements for disclose.io's definition of **Full Safe Harbor** are for the policy to provide:
30 | - Authorization against anti-hacking laws
31 | - Exemption from anti-circumvention laws 
32 | - Exemption from violation of the TOS/AUP during security testing
33 | - A statement acknowledging good-faith.
34 | 
35 | The intention of Safe Harbor language provided by disclose.io is for it to be followed specifically, with minor, if any, modifications. If modifications are made, the four tenets laid out above are the most important to address in your policy.
36 | 
37 | Policies missing any of the core tenets above, but that still contain a good-faith statement committing not to pursue legal action on security researchers, meet the criteria for **Partial Safe Harbor**.
38 | 
39 | > Note: Incentives or "bounties" for vulnerability reports are not a prerequisite for Safe Harbor or for a program to be considered a VDP.
40 | 
41 | ### Disclosure types
42 | 
43 | - **Coordinated Disclosure**: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose or after a clearly-stated time has passed from submission, whichever is sooner;
44 | - **Discretionary Disclosure**: The researcher or the program owner can request mutual permission to share details of the vulnerability after approval is explicitly received; or
45 | - **Non-Disclosure**: Researchers are required to keep vulnerability details and the existence of the program itself confidential, regardless of the fix or any conversations between them and the vendor. Note that non-disclosure is considered inappropriate and generally ineffective as a disclosure type for VDPs.
46 | 
47 | ### Disclose.io Status
48 | Disclose.io maintains five levels of best-practice attainment:
49 | - **security.txt**: The subdomain/domain contains a security.txt file only.
50 | - **Basic**: A publicly available Policy and Official Channel exist.
51 | - **Partial**: Basic, with the addition of **Partial Safe Harbor** provisions.
52 | - **Full**: Basic, with the addition of **Full Safe Harbor** provisions.
53 | - **Full with CVD**: Full, with the addition of a **Coordinated Disclosure Policy** that includes a proactive disclosure timeline.
54 | 
55 | ### Additional terms
56 | 
57 | In each template we've also provided boilerplate examples for the additional section.  
58 | - **Scope** (Required) – A complete list of "In-Scope" properties for which the organization is explicitly allowing and encouraging good-faith security research. Keep in mind that a true vulnerability disclosure program considers the entire attack surface of the organization running the program, so erring on the side of inclusiveness is best practice with respect to scope.
59 | - **Out-of-Scope** (Optional) - A non-exhaustive list of systems and security testing activities that the organization strongly wishes to discourage testing against, and
60 | - **Rewards** (Optional) – Information on whether or not the program offers payment for valid, unique issues, as well as the type and parameters of that compensation.
61 | - **Official Communication Channels** (Required) – A full list of the communication methods that are made available by the organization to receive and communicate about vulnerability submissions.
62 | - **Disclosure Policy** (Required) – A clear policy outlining the conditions under which a researcher can disclose the details of a reported issue to third parties. 
63 | 
64 | ## Next steps 
65 | 
66 | Once you've published your policy, you can:  
67 | - Add the appropriate [disclose.io seal](https://github.com/disclose/dioseal) to your public program brief,
68 | - Submit a pull request to add your program to the [open-source disclose.io program list](https://github.com/disclose/diodb),
69 | - Let the world know you're joining the initiative!
70 | - Contribute back to the [disclose.io](https://disclose.io) project! 
71 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Creative Commons Legal Code
  2 | 
  3 | CC0 1.0 Universal
  4 | 
  5 |     CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
  6 |     LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
  7 |     ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
  8 |     INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
  9 |     REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
 10 |     PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
 11 |     THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
 12 |     HEREUNDER.
 13 | 
 14 | Statement of Purpose
 15 | 
 16 | The laws of most jurisdictions throughout the world automatically confer
 17 | exclusive Copyright and Related Rights (defined below) upon the creator
 18 | and subsequent owner(s) (each and all, an "owner") of an original work of
 19 | authorship and/or a database (each, a "Work").
 20 | 
 21 | Certain owners wish to permanently relinquish those rights to a Work for
 22 | the purpose of contributing to a commons of creative, cultural and
 23 | scientific works ("Commons") that the public can reliably and without fear
 24 | of later claims of infringement build upon, modify, incorporate in other
 25 | works, reuse and redistribute as freely as possible in any form whatsoever
 26 | and for any purposes, including without limitation commercial purposes.
 27 | These owners may contribute to the Commons to promote the ideal of a free
 28 | culture and the further production of creative, cultural and scientific
 29 | works, or to gain reputation or greater distribution for their Work in
 30 | part through the use and efforts of others.
 31 | 
 32 | For these and/or other purposes and motivations, and without any
 33 | expectation of additional consideration or compensation, the person
 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
 35 | is an owner of Copyright and Related Rights in the Work, voluntarily
 36 | elects to apply CC0 to the Work and publicly distribute the Work under its
 37 | terms, with knowledge of his or her Copyright and Related Rights in the
 38 | Work and the meaning and intended legal effect of CC0 on those rights.
 39 | 
 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
 41 | protected by copyright and related or neighboring rights ("Copyright and
 42 | Related Rights"). Copyright and Related Rights include, but are not
 43 | limited to, the following:
 44 | 
 45 |   i. the right to reproduce, adapt, distribute, perform, display,
 46 |      communicate, and translate a Work;
 47 |  ii. moral rights retained by the original author(s) and/or performer(s);
 48 | iii. publicity and privacy rights pertaining to a person's image or
 49 |      likeness depicted in a Work;
 50 |  iv. rights protecting against unfair competition in regards to a Work,
 51 |      subject to the limitations in paragraph 4(a), below;
 52 |   v. rights protecting the extraction, dissemination, use and reuse of data
 53 |      in a Work;
 54 |  vi. database rights (such as those arising under Directive 96/9/EC of the
 55 |      European Parliament and of the Council of 11 March 1996 on the legal
 56 |      protection of databases, and under any national implementation
 57 |      thereof, including any amended or successor version of such
 58 |      directive); and
 59 | vii. other similar, equivalent or corresponding rights throughout the
 60 |      world based on applicable law or treaty, and any national
 61 |      implementations thereof.
 62 | 
 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
 64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
 65 | irrevocably and unconditionally waives, abandons, and surrenders all of
 66 | Affirmer's Copyright and Related Rights and associated claims and causes
 67 | of action, whether now known or unknown (including existing as well as
 68 | future claims and causes of action), in the Work (i) in all territories
 69 | worldwide, (ii) for the maximum duration provided by applicable law or
 70 | treaty (including future time extensions), (iii) in any current or future
 71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
 72 | including without limitation commercial, advertising or promotional
 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
 74 | member of the public at large and to the detriment of Affirmer's heirs and
 75 | successors, fully intending that such Waiver shall not be subject to
 76 | revocation, rescission, cancellation, termination, or any other legal or
 77 | equitable action to disrupt the quiet enjoyment of the Work by the public
 78 | as contemplated by Affirmer's express Statement of Purpose.
 79 | 
 80 | 3. Public License Fallback. Should any part of the Waiver for any reason
 81 | be judged legally invalid or ineffective under applicable law, then the
 82 | Waiver shall be preserved to the maximum extent permitted taking into
 83 | account Affirmer's express Statement of Purpose. In addition, to the
 84 | extent the Waiver is so judged Affirmer hereby grants to each affected
 85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
 88 | maximum duration provided by applicable law or treaty (including future
 89 | time extensions), (iii) in any current or future medium and for any number
 90 | of copies, and (iv) for any purpose whatsoever, including without
 91 | limitation commercial, advertising or promotional purposes (the
 92 | "License"). The License shall be deemed effective as of the date CC0 was
 93 | applied by Affirmer to the Work. Should any part of the License for any
 94 | reason be judged legally invalid or ineffective under applicable law, such
 95 | partial invalidity or ineffectiveness shall not invalidate the remainder
 96 | of the License, and in such case Affirmer hereby affirms that he or she
 97 | will not (i) exercise any of his or her remaining Copyright and Related
 98 | Rights in the Work or (ii) assert any associated claims and causes of
 99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 | 
102 | 4. Limitations and Disclaimers.
103 | 
104 |  a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 |     surrendered, licensed or otherwise affected by this document.
106 |  b. Affirmer offers the Work as-is and makes no representations or
107 |     warranties of any kind concerning the Work, express, implied,
108 |     statutory or otherwise, including without limitation warranties of
109 |     title, merchantability, fitness for a particular purpose, non
110 |     infringement, or the absence of latent or other defects, accuracy, or
111 |     the present or absence of errors, whether or not discoverable, all to
112 |     the greatest extent permissible under applicable law.
113 |  c. Affirmer disclaims responsibility for clearing rights of other persons
114 |     that may apply to the Work or any use thereof, including without
115 |     limitation any person's Copyright and Related Rights in the Work.
116 |     Further, Affirmer disclaims responsibility for obtaining any necessary
117 |     consents, permissions or other rights required for any use of the
118 |     Work.
119 |  d. Affirmer understands and acknowledges that Creative Commons is not a
120 |     party to this document and has no duty or obligation with respect to
121 |     this CC0 or use of the Work.
122 | 


--------------------------------------------------------------------------------
/archive/core-terms-US-2020-ELECTIONS.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | As state government operators of election infrastructure, we believe the protection of our election infrastructure is critical to the integrity of our democracy. Therefore, we value the input of security researchers acting in good faith to help us maintain a high standard for the security of our systems, which in turn gives American voters confidence in our electoral process. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
 4 | 
 5 | # Systems In Scope 
 6 | 
 7 | The scope of this policy includes only Internet-accessible election applications and infrastructure owned by the participating state agencies (and their county and local subdivisions), to include:
 8 | - Voter registration databases,
 9 | - e-Poll books,
10 | - Election night reporting systems,
11 | - *etc... [State or County completes with in-scope domains and system types/categories].*
12 | 
13 | Any systems not listed above are out-of-scope for security testing under this policy. Any discovered or suspected vulnerabilities in out of scope systems should be reported to the appropriate vendor, or to CERT/CC.
14 | 
15 | # Systems Out of Scope 
16 | 
17 | Out-of-scope systems include infrastructure or other equipment not owned by participating state agencies and their county and local subdivisions. It is the responsibility of vulnerability researchers, testers, or others seeking to comply with this policy to ensure the equipment or system is not out-of-scope.
18 | 
19 | *[Optional: Provide more details on systems that are out-of-scope and/or how vulnerability reporters or researchers may distinguish systems that are in- and out-of-scope.]*
20 | 
21 | # Official Communication Channels 
22 | 
23 | Information regarding vulnerabilities for in-scope systems should be sent through the following channel: *[Required: Email address, web form URL, or platform URL for vulnerability submissions goes here]*
24 | 
25 | # Expectations
26 | 
27 | When working with us according to this policy, you can expect us to:
28 | - Always hold the integrity of the democractic process as critical to our mission;
29 | - Prioritize security and privacy of voters and our other stakeholders;
30 | - Work with you to understand and validate your report, including a timely initial response to the submission;
31 | - Work to mitigate discovered vulnerabilities within our budget and operations constraints; 
32 | - Recognize your contribution to improving our security - after mitigation and at a time of our choosing - if you are the first to report a unique vulnerability, and your report triggers a code or configuration change; and
33 | - Extend Safe Harbor for your vulnerability research that adheres to the Ground Rules.
34 | 
35 | While we will always strongly consider your assessment and recommendations regarding vulnerability severity, we retain the authority to determine what vulnerabilities can and should be remediated and in what time frame. We will always prioritize our mission to administer fair elections, and will address vulnerabilities to the best of our ability to achieve that goal.
36 | 
37 | # Ground Rules
38 | 
39 | To encourage responsible vulnerability research and to avoid any confusion between good-faith research and malicious attack, we ask that you follow these Ground Rules. Activities that do not follow these Ground Rules should be considered out of scope. Modifications to these Ground Rules can only be provided in writing from authorized officials. 
40 | 
41 | - Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
42 | - Report any vulnerability you’ve discovered promptly through the Official Channels listed above. Use only the Official Channels to discuss vulnerability information with us; Public disclosure of election-related vulnerabilities can harm voter confidence and negate the benefits of this policy, and thus is out of scope of this policy, unless permission is granted in writing by officials with authority to do so. Keep the details of any discovered vulnerabilities confidential until they are mitigated, according to the Disclosure Policy, unless permission is granted in writing by officials with authority to do so;
43 | - Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
44 | - You should only interact with test accounts you own or with explicit permission from the account holder; 
45 | - Do not damage our systems or degrade user experience, such as via a denial-of-service attack, and under no circumstances disrupt a live election or voters' ability to cast ballots;
46 | - Do not engage in phishing attacks;
47 | - Do not misrepresent yourself to be an election worker, government official, or representative of another organization;
48 | - Do not exfiltrate, modify, or destroy system data;
49 | - Avoid violating the privacy of others; do not obtain, modify, or disclose sensitive or individually identifying information of third parties; and
50 | - Do not require payment in exchange for disclosing your findings, withholding disclosure of your findings, or other services rendered. Additional paid services, such as payment for vulnerability testing or mitigation, require a contract or arrangement separate from this policy.
51 | 
52 | 
53 | If a vulnerability provides unintended access to data:
54 | - Cease testing and submit a report immediately if you encounter any user or voter data during testing, such as Personally Identifiable Information (PII);
55 | - Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept - for example, a screenshot of 3-5 records is sufficient for your proof of concept;
56 | - Avoid downloading or extracting data of any kind beyond the minimum necessary for a proof of concept.
57 | 
58 | # Disclosure Policy
59 | 
60 | We have commitments both to transparency and voter trust. As part of those commitments, we seek to ensure vulnerabilities are adequately analyzed and mitigated to maintain user protection, and that public communications about vulnerabilities are accurate, helpful, and not premature. To that end, recognizing that these processes require a time commitment, and given the sensitive nature of election security and the need to preserve voter confidence in the electoral process, we request that you keep the details of any discovered vulnerabilities confidential until they are appropriately mitigated.
61 | 
62 | Until the vulnerability is mitigated, the researcher may share details of the vulnerability only with written permission from state officials with authorization to provide approval to disclose.
63 | 
64 | # Safe Harbor
65 | 
66 | When conducting vulnerability research according to this policy, we will not initiate legal action against you under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, violations of our Terms & Conditions, or similar state laws. We will not initiate or support legal action against you for accidental, good faith violations of this policy that do not cause damage or harm or violate the privacy of others.
67 | 
68 | 
69 | Please note that this safe harbor applies only to legal claims under the control of the state agencies participating in this policy. For example, the policy does not apply to third party claims that are independent of the state. You are expected to comply with all applicable laws. The state agencies participating in this policy will comply with applicable laws and lawful orders.
70 | If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
71 | 
72 | # Rewards
73 | 
74 | Rewards for vulnerabilities may be awarded at the discretion of the Secretary of State as funds are available. Under this policy, security researchers are not authorized to solicit reward or payment for services rendered as part of the disclosure process.


--------------------------------------------------------------------------------